-
Notifications
You must be signed in to change notification settings - Fork 12.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[clang-tidy] Add a close-on-exec check on accept4() in Android module.
Summary: accept4() is better to set SOCK_CLOEXEC flag to avoid file descriptor leakage. Differential Revision: https://reviews.llvm.org/D35363 llvm-svn: 311027
- llvmorg-20-init
- llvmorg-19.1.6
- llvmorg-19.1.5
- llvmorg-19.1.4
- llvmorg-19.1.3
- llvmorg-19.1.2
- llvmorg-19.1.1
- llvmorg-19.1.0
- llvmorg-19.1.0-rc4
- llvmorg-19.1.0-rc3
- llvmorg-19.1.0-rc2
- llvmorg-19.1.0-rc1
- llvmorg-19-init
- llvmorg-18.1.8
- llvmorg-18.1.7
- llvmorg-18.1.6
- llvmorg-18.1.5
- llvmorg-18.1.4
- llvmorg-18.1.3
- llvmorg-18.1.2
- llvmorg-18.1.1
- llvmorg-18.1.0
- llvmorg-18.1.0-rc4
- llvmorg-18.1.0-rc3
- llvmorg-18.1.0-rc2
- llvmorg-18.1.0-rc1
- llvmorg-18-init
- llvmorg-17.0.6
- llvmorg-17.0.5
- llvmorg-17.0.4
- llvmorg-17.0.3
- llvmorg-17.0.2
- llvmorg-17.0.1
- llvmorg-17.0.0
- llvmorg-17.0.0-rc4
- llvmorg-17.0.0-rc3
- llvmorg-17.0.0-rc2
- llvmorg-17.0.0-rc1
- llvmorg-17-init
- llvmorg-16.0.6
- llvmorg-16.0.5
- llvmorg-16.0.4
- llvmorg-16.0.3
- llvmorg-16.0.2
- llvmorg-16.0.1
- llvmorg-16.0.0
- llvmorg-16.0.0-rc4
- llvmorg-16.0.0-rc3
- llvmorg-16.0.0-rc2
- llvmorg-16.0.0-rc1
- llvmorg-16-init
- llvmorg-15.0.7
- llvmorg-15.0.6
- llvmorg-15.0.5
- llvmorg-15.0.4
- llvmorg-15.0.3
- llvmorg-15.0.2
- llvmorg-15.0.1
- llvmorg-15.0.0
- llvmorg-15.0.0-rc3
- llvmorg-15.0.0-rc2
- llvmorg-15.0.0-rc1
- llvmorg-15-init
- llvmorg-14.0.6
- llvmorg-14.0.5
- llvmorg-14.0.4
- llvmorg-14.0.3
- llvmorg-14.0.2
- llvmorg-14.0.1
- llvmorg-14.0.0
- llvmorg-14.0.0-rc4
- llvmorg-14.0.0-rc3
- llvmorg-14.0.0-rc2
- llvmorg-14.0.0-rc1
- llvmorg-14-init
- llvmorg-13.0.1
- llvmorg-13.0.1-rc3
- llvmorg-13.0.1-rc2
- llvmorg-13.0.1-rc1
- llvmorg-13.0.0
- llvmorg-13.0.0-rc4
- llvmorg-13.0.0-rc3
- llvmorg-13.0.0-rc2
- llvmorg-13.0.0-rc1
- llvmorg-13-init
- llvmorg-12.0.1
- llvmorg-12.0.1-rc4
- llvmorg-12.0.1-rc3
- llvmorg-12.0.1-rc2
- llvmorg-12.0.1-rc1
- llvmorg-12.0.0
- llvmorg-12.0.0-rc5
- llvmorg-12.0.0-rc4
- llvmorg-12.0.0-rc3
- llvmorg-12.0.0-rc2
- llvmorg-12.0.0-rc1
- llvmorg-12-init
- llvmorg-11.1.0
- llvmorg-11.1.0-rc3
- llvmorg-11.1.0-rc2
- llvmorg-11.1.0-rc1
- llvmorg-11.0.1
- llvmorg-11.0.1-rc2
- llvmorg-11.0.1-rc1
- llvmorg-11.0.0
- llvmorg-11.0.0-rc6
- llvmorg-11.0.0-rc5
- llvmorg-11.0.0-rc4
- llvmorg-11.0.0-rc3
- llvmorg-11.0.0-rc2
- llvmorg-11.0.0-rc1
- llvmorg-11-init
- llvmorg-10.0.1
- llvmorg-10.0.1-rc4
- llvmorg-10.0.1-rc3
- llvmorg-10.0.1-rc2
- llvmorg-10.0.1-rc1
- llvmorg-10.0.0
- llvmorg-10.0.0-rc6
- llvmorg-10.0.0-rc5
- llvmorg-10.0.0-rc4
- llvmorg-10.0.0-rc3
- llvmorg-10.0.0-rc2
- llvmorg-10.0.0-rc1
- llvmorg-10-init
- llvmorg-9.0.1
- llvmorg-9.0.1-rc3
- llvmorg-9.0.1-rc2
- llvmorg-9.0.1-rc1
- llvmorg-9.0.0
- llvmorg-9.0.0-rc6
- llvmorg-9.0.0-rc5
- llvmorg-9.0.0-rc4
- llvmorg-9.0.0-rc3
- llvmorg-9.0.0-rc2
- llvmorg-9.0.0-rc1
- llvmorg-8.0.1
- llvmorg-8.0.1-rc4
- llvmorg-8.0.1-rc3
- llvmorg-8.0.1-rc2
- llvmorg-8.0.1-rc1
- llvmorg-8.0.0
- llvmorg-8.0.0-rc5
- llvmorg-8.0.0-rc4
- llvmorg-8.0.0-rc3
- llvmorg-8.0.0-rc2
- llvmorg-8.0.0-rc1
- llvmorg-7.1.0
- llvmorg-7.1.0-rc1
- llvmorg-7.0.1
- llvmorg-7.0.1-rc3
- llvmorg-7.0.1-rc2
- llvmorg-7.0.1-rc1
- llvmorg-7.0.0
- llvmorg-7.0.0-rc3
- llvmorg-7.0.0-rc2
- llvmorg-7.0.0-rc1
- llvmorg-6.0.1
- llvmorg-6.0.1-rc3
- llvmorg-6.0.1-rc2
- llvmorg-6.0.1-rc1
- llvmorg-6.0.0
- llvmorg-6.0.0-rc3
- llvmorg-6.0.0-rc2
- llvmorg-6.0.0-rc1
Showing
8 changed files
with
169 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
40 changes: 40 additions & 0 deletions
40
clang-tools-extra/clang-tidy/android/CloexecAccept4Check.cpp
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
//===--- CloexecAccept4Check.cpp - clang-tidy------------------------------===// | ||
// | ||
// The LLVM Compiler Infrastructure | ||
// | ||
// This file is distributed under the University of Illinois Open Source | ||
// License. See LICENSE.TXT for details. | ||
// | ||
//===----------------------------------------------------------------------===// | ||
|
||
#include "CloexecAccept4Check.h" | ||
#include "../utils/ASTUtils.h" | ||
#include "clang/AST/ASTContext.h" | ||
#include "clang/ASTMatchers/ASTMatchFinder.h" | ||
|
||
using namespace clang::ast_matchers; | ||
|
||
namespace clang { | ||
namespace tidy { | ||
namespace android { | ||
|
||
void CloexecAccept4Check::registerMatchers(MatchFinder *Finder) { | ||
auto SockAddrPointerType = | ||
hasType(pointsTo(recordDecl(isStruct(), hasName("sockaddr")))); | ||
auto SockLenPointerType = hasType(pointsTo(namedDecl(hasName("socklen_t")))); | ||
|
||
registerMatchersImpl(Finder, | ||
functionDecl(returns(isInteger()), hasName("accept4"), | ||
hasParameter(0, hasType(isInteger())), | ||
hasParameter(1, SockAddrPointerType), | ||
hasParameter(2, SockLenPointerType), | ||
hasParameter(3, hasType(isInteger())))); | ||
} | ||
|
||
void CloexecAccept4Check::check(const MatchFinder::MatchResult &Result) { | ||
insertMacroFlag(Result, /*MarcoFlag=*/"SOCK_CLOEXEC", /*ArgPos=*/3); | ||
} | ||
|
||
} // namespace android | ||
} // namespace tidy | ||
} // namespace clang |
35 changes: 35 additions & 0 deletions
35
clang-tools-extra/clang-tidy/android/CloexecAccept4Check.h
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
//===--- CloexecAccept4Check.h - clang-tidy----------------------*- C++ -*-===// | ||
// | ||
// The LLVM Compiler Infrastructure | ||
// | ||
// This file is distributed under the University of Illinois Open Source | ||
// License. See LICENSE.TXT for details. | ||
// | ||
//===----------------------------------------------------------------------===// | ||
|
||
#ifndef LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_ANDROID_CLOEXEC_ACCEPT4_H | ||
#define LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_ANDROID_CLOEXEC_ACCEPT4_H | ||
|
||
#include "CloexecCheck.h" | ||
|
||
namespace clang { | ||
namespace tidy { | ||
namespace android { | ||
|
||
/// Finds code that uses accept4() without using the SOCK_CLOEXEC flag. | ||
/// | ||
/// For the user-facing documentation see: | ||
/// http://clang.llvm.org/extra/clang-tidy/checks/android-cloexec-accept4.html | ||
class CloexecAccept4Check : public CloexecCheck { | ||
public: | ||
CloexecAccept4Check(StringRef Name, ClangTidyContext *Context) | ||
: CloexecCheck(Name, Context) {} | ||
void registerMatchers(ast_matchers::MatchFinder *Finder) override; | ||
void check(const ast_matchers::MatchFinder::MatchResult &Result) override; | ||
}; | ||
|
||
} // namespace android | ||
} // namespace tidy | ||
} // namespace clang | ||
|
||
#endif // LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_ANDROID_CLOEXEC_ACCEPT4_H |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
18 changes: 18 additions & 0 deletions
18
clang-tools-extra/docs/clang-tidy/checks/android-cloexec-accept4.rst
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
.. title:: clang-tidy - android-cloexec-accept4 | ||
|
||
android-cloexec-accept4 | ||
======================= | ||
|
||
``accept4()`` should include ``SOCK_CLOEXEC`` in its type argument to avoid the | ||
file descriptor leakage. Without this flag, an opened sensitive file would | ||
remain open across a fork+exec to a lower-privileged SELinux domain. | ||
|
||
Examples: | ||
|
||
.. code-block:: c++ | ||
|
||
accept4(sockfd, addr, addrlen, SOCK_NONBLOCK); | ||
|
||
// becomes | ||
|
||
accept4(sockfd, addr, addrlen, SOCK_NONBLOCK | SOCK_CLOEXEC); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
66 changes: 66 additions & 0 deletions
66
clang-tools-extra/test/clang-tidy/android-cloexec-accept4.cpp
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
// RUN: %check_clang_tidy %s android-cloexec-accept4 %t | ||
|
||
typedef int socklen_t; | ||
struct sockaddr {}; | ||
|
||
#define SOCK_NONBLOCK 1 | ||
#define __O_CLOEXEC 3 | ||
#define SOCK_CLOEXEC __O_CLOEXEC | ||
#define TEMP_FAILURE_RETRY(exp) \ | ||
({ \ | ||
int _rc; \ | ||
do { \ | ||
_rc = (exp); \ | ||
} while (_rc == -1); \ | ||
}) | ||
#define NULL 0 | ||
|
||
extern "C" int accept4(int sockfd, struct sockaddr *addr, socklen_t *addrlen, int flags); | ||
|
||
void a() { | ||
accept4(0, NULL, NULL, SOCK_NONBLOCK); | ||
// CHECK-MESSAGES: :[[@LINE-1]]:39: warning: 'accept4' should use SOCK_CLOEXEC where possible [android-cloexec-accept4] | ||
// CHECK-FIXES: accept4(0, NULL, NULL, SOCK_NONBLOCK | SOCK_CLOEXEC); | ||
TEMP_FAILURE_RETRY(accept4(0, NULL, NULL, SOCK_NONBLOCK)); | ||
// CHECK-MESSAGES: :[[@LINE-1]]:58: warning: 'accept4' | ||
// CHECK-FIXES: TEMP_FAILURE_RETRY(accept4(0, NULL, NULL, SOCK_NONBLOCK | SOCK_CLOEXEC)); | ||
} | ||
|
||
void f() { | ||
accept4(0, NULL, NULL, 3); | ||
// CHECK-MESSAGES: :[[@LINE-1]]:27: warning: 'accept4' | ||
// CHECK-FIXES: accept4(0, NULL, NULL, 3 | SOCK_CLOEXEC); | ||
TEMP_FAILURE_RETRY(accept4(0, NULL, NULL, 3)); | ||
// CHECK-MESSAGES: :[[@LINE-1]]:46: warning: 'accept4' | ||
// CHECK-FIXES: TEMP_FAILURE_RETRY(accept4(0, NULL, NULL, 3 | SOCK_CLOEXEC)); | ||
|
||
int flag = SOCK_NONBLOCK; | ||
accept4(0, NULL, NULL, flag); | ||
TEMP_FAILURE_RETRY(accept4(0, NULL, NULL, flag)); | ||
} | ||
|
||
namespace i { | ||
int accept4(int sockfd, struct sockaddr *addr, socklen_t *addrlen, int flags); | ||
|
||
void d() { | ||
accept4(0, NULL, NULL, SOCK_NONBLOCK); | ||
TEMP_FAILURE_RETRY(accept4(0, NULL, NULL, SOCK_NONBLOCK)); | ||
} | ||
|
||
} // namespace i | ||
|
||
void e() { | ||
accept4(0, NULL, NULL, SOCK_CLOEXEC); | ||
TEMP_FAILURE_RETRY(accept4(0, NULL, NULL, SOCK_CLOEXEC)); | ||
accept4(0, NULL, NULL, SOCK_NONBLOCK | SOCK_CLOEXEC); | ||
TEMP_FAILURE_RETRY(accept4(0, NULL, NULL, SOCK_NONBLOCK | SOCK_CLOEXEC)); | ||
} | ||
|
||
class G { | ||
public: | ||
int accept4(int sockfd, struct sockaddr *addr, socklen_t *addrlen, int flags); | ||
void d() { | ||
accept4(0, NULL, NULL, SOCK_NONBLOCK); | ||
TEMP_FAILURE_RETRY(accept4(0, NULL, NULL, SOCK_NONBLOCK)); | ||
} | ||
}; |